Skip to main content

Erxes

3 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2024-57190 npm CRITICAL POC PATCH Act Now

Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.

Authentication Bypass Erxes
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-57189 npm MEDIUM POC PATCH This Month

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-57186 npm MEDIUM POC PATCH This Month

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Path Traversal Erxes
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-57190 npm
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Erxes versions prior to 1.6.1 contain a critical authentication bypass vulnerability where attackers can impersonate any user by injecting arbitrary values into the 'User' HTTP header, gaining unauthorized access to all GraphQL endpoints. This CWE-284 (Incorrect Access Control) flaw requires no authentication credentials, no user interaction, and can be exploited over the network with trivial complexity, resulting in complete compromise of confidentiality, integrity, and availability (CVSS 9.8). The vulnerability likely has active exploitation potential given the simplicity of the attack vector and the critical nature of authentication bypass flaws in widely-deployed platforms.

Authentication Bypass Erxes
NVD GitHub
CVE-2024-57189 npm
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

Path Traversal Erxes
NVD GitHub
CVE-2024-57186 npm
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Path Traversal Erxes
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy